httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ashley Gould <ago...@ucop.edu>
Subject [users@httpd] SSL and AuthType Basic
Date Mon, 22 Aug 2005 20:58:17 GMT
I want to force use of https on directories where authentication is 
required to avoid sending htpasswords in the clear.  Example:

<Directory /web/www-data/blah/blah>
    RewriteEngine        on
    RewriteCond          %{HTTPS} !=on
    RewriteRule     (.*) https://www.ucop.edu/blah/blah/$1 [R]

    AuthType Basic
    AuthName "Restricted Area"
    AuthUserFile /usr/local/etc/httpd/htpasswd
    AuthGroupFile /usr/local/etc/httpd/htgroup
    Require group admins
</Directory>


This seems to work fine.  As soon as I authenticate, I'm pushed into
https.  But is the authentication itself actually encrypted?  What is
apache's behavior in this case?


p.s. mod_rewrite experts feel free to make suggestions about my rules.




-- 

-ashley

Did you try poking at it with a stick?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message